From 8f24c12be7a3b3ea105e67bba9a867fe210a2333 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 15 Jul 2013 11:28:46 +0300 Subject: [PATCH] ac3dec: Don't consume more data than the actual input packet size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was handled properly in the normal return case at the end of the function, but not in this special case. Returning a value larger than the input packet size can cause problems for certain library users. Returning the actual input buffer size unconditionally, since it is not guaranteed that frame_size is set to a sensible value at this point. Cc: libav-stable@libav.org Signed-off-by: Martin Storsjö --- libavcodec/ac3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index 512d54b822..6a2792e24d 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1308,7 +1308,7 @@ static int ac3_decode_frame(AVCodecContext * avctx, void *data, av_log(avctx, AV_LOG_ERROR, "unsupported frame type : " "skipping frame\n"); *got_frame_ptr = 0; - return s->frame_size; + return buf_size; } else { av_log(avctx, AV_LOG_ERROR, "invalid frame type\n"); }